Google and HTTPS: Why You Should Switch Now

…we’re also working to make the Internet safer more broadly. A big part of that is making sure that websites people access from Google are secure. — Google, 2014

Security is critical on the web. And, in the words of Google, we want a safer web for everyone. Google themselves make security a top priority for their users and actively invest in making sure their services use industry leading security.

Therefore, as of January 15th, 2017, Google is requiring websites to switch from HTTP to HTTPS.

So why should you be switching to HTTPS? Firstly, Google intends to begin penalising websites and website rankings based on their use of HTTP and HTTPS. In fact, this has already begun. As of 2014, websites that use HTTPS were given a small ranking boost. The full force of Google’s penalties will initially roll out in Chrome but will eventually affect all web browsers.

A web with ubiquitous HTTPS is not the distant future. It’s happening now, with secure browsing becoming standard for users of Chrome.

-Google, 2016

Image courtesy of Google

At the moment, websites using HTTP are marked as a neutral connection. However, as of January 2017, Google will begin marking HTTP websites that collect passwords or credit cards as non-secure. This is, however, part of a long-term plan to mark all HTTP websites as unsecure.

Our plan to label HTTP sites more clearly and accurately as non-secure will take place in gradual steps, based on increasingly stringent criteria.

-Google, 2016

In following releases of Google Chrome, Google intends to extend these warnings. The next stage will be to mark all HTTP pages as unsecure when a user is browsing using the Incognito mode – a portion of Google Chrome where users expect higher levels of privacy. From there, Google asserts that the penalties will get stronger.

Eventually, we plan to label all HTTP pages as non-secure, and change the HTTP security indicator to the red triangle that we use for broken HTTPS.

-Google, 2016

The reasons behind Google enforcing this switch are very important. Browsing online should be a private action between the user and the websites they visit. Switching to HTTPS protects the communications between a user and a website while HTTP does not. As such, Google will be pushing the promotion of pages that use HTTPS over pages that use HTTP.

By showing users HTTPS pages in our search results, we’re hoping to decrease the risk for users to browse a website over an insecure connection and making themselves vulnerable to content injection attacks.

-Google, 2016

So what is Google trying to protect the user from?

HTTP and Hacking

There is a misconception that HTTPS is only for sites that collect sensitive information – such as credit card details and passwords. This is completely untrue. There are many different ways to exploit the unsecure connections of HTTP to create a bad – or even dangerous – user experience.

The least dangerous of these are intrusive content injections. These involve intrusive companies – such as hotels and internet service providers (ISPs) injecting advertising into a website. The issue with this is that the advertising can break the website design. This can affect your user’s experience.

These injected advertisements can also cause security vulnerabilities that can be exploited by hackers – who can then inject malware into your website or directly to your user.

However, the most serious issue that Google wants to stop is network eavesdropping and man-in-the-middle attacks.

Network Eavesdropping

Network eavesdropping is an attack that focuses on capturing small packets from the network and reads the data content in search of information. This means that hackers can read the upload and download between your website and the user, as they access your website, and steal the information. Network eavesdropping uses user information, activity, and behaviour to reveal the identity of your user.

This has become one of the most effective types of hacking and is actively used by black hat hackers.

Man-in-the-Middle Attacks

Man-in-the-middle attacks use network eavesdropping to spoof a connection between the user and your website. The hacker infiltrates the communication between the user and your website, secretly, and alters the communication – without you or your user knowing!

The attacker can then steal information sent by your website or the user, as well as actively altering data. The hacker intercepts the information being sent by you, to the user, changes it, and then sends it on without anyone being the wiser.

Switching to HTTPS stops these kinds of attacks because the Transport Layer Security (TLS) that is part of HTTPS requires either the user, your website, or both to authenticate the connection before any communication begins. Because man-in-the-middle attacks rely on the hacker being able to completely impersonate both sides of the digital conversation, switching to HTTPS stops a hacker from being able to spoof one side or the other. Essentially it stops anyone eavesdropping on the communication between the user and your website so data cannot be modified or corrupted.

As such, HTTPS authentication proves that the users are only communicating the intended website. It builds user trust that ultimately translates into bigger business benefits – after all, people are more likely to visit a website that they know is safe!

Whether you switch because of Google’s proposed penalties, or to protect your users, it is important that you begin switching to HTTPS today.